请选择 进入手机版 | 继续访问电脑版

技术控

    今日:9| 主题:54680
收藏本版 (1)
最新软件应用技术尽在掌握

[其他] Malware posing as Dual Instance app steals users’ Twitter credentials

[复制链接]
長了皺紋的心 发表于 2016-10-20 00:29:05
408 4

立即注册CoLaBug.com会员,免费获得投稿人的专业资料,享用更多功能,玩转个人品牌!

您需要 登录 才可以下载或查看,没有帐号?立即注册

x

Malware posing as Dual Instance app steals users’ Twitter credentials

Malware posing as Dual Instance app steals users’ Twitter credentials-1-技术控-themselves,download,recently,accounts,multiple

  Do you have more than one Twitter or WhatsApp account? If you answered yes, do you want to log in to these multiple accounts at the same time? Up until this point, logging in to multiple social media accounts at one time has only been possible by using more than one mobile device. Dual Instance is a technique that allows you to run more than one instance of a mobile application simultaneously. As we know, it never takes malware authors long to catch on to new trends, so cybercriminals have recently taken it upon themselves to create malicious versions of Dual Instance apps.
  Assuming you have installed the original Twitter app on your mobile device, it’s impossible to install another Twitter, unless it’s a counterfeit copy. However, if you have a piece of newly discovered malware installed, you’re able to download another original instance of Twitter’s authentic application on your device. Thus, you can log in with another account. However, as with all malware, this comes at a price.
  This malware, which we’ll refer to as ‘Dual Instance’ malware from this point on, has been captured from an online chat group in China. Due to some special policies, some foreign websites, including Twitter, could not be directly accessed in China’s mainland. Since these kinds of requests do arise from time to time, though, this malware’s author came up with the idea to develop a “modified” – not the original application, nor an illegal version -- Twitter app that allows users to log in to Twitter without any special configurations, such as a VPN.
  What is Dual Instance, anyway?

   As stated above, Dual Instance makes it possible for users to log in to and run multiple instances of mobile applications on the same device. While it’s possible to find legitimate dual instance apps in app stores, there are also malicious apps that offer the same service and steal user credentials while doing so . As implied by its name, Dual Instance malware uses the technique to implement the aforementioned, modified version of Twitter on your device. Dual Instance is another kind of sandbox or virtualization – it simulates the most necessary components of Android’s system framework to start an app. While using the sandbox to start an app, it takes over most of the job to start a new app’s process. As a result, a new instance becomes a reality. Let’s have a deeper look at this malware to see what makes it tick:
  Firstly, Dual Instance malware forges a certificate that looks just like the real one from Twitter.
   

Malware posing as Dual Instance app steals users’ Twitter credentials

Malware posing as Dual Instance app steals users’ Twitter credentials-2-技术控-themselves,download,recently,accounts,multiple

  Twitter app’s legal certificate is also listed below.
   

Malware posing as Dual Instance app steals users’ Twitter credentials

Malware posing as Dual Instance app steals users’ Twitter credentials-3-技术控-themselves,download,recently,accounts,multiple

  It’s difficult to see significant differences between these two at the first glance, isn’t it?
  In order to run the original Twitter, this malware hides the package in its asset directory.
   

Malware posing as Dual Instance app steals users’ Twitter credentials

Malware posing as Dual Instance app steals users’ Twitter credentials-4-技术控-themselves,download,recently,accounts,multiple

   Interestingly enough, in order to cheat the user, this malware takes com.twittre.android as its package name, while the legal one should be com.twitter.android . As you can see, the difference lies in the sequence of last two letters in the word ‘twitter’.
   

Malware posing as Dual Instance app steals users’ Twitter credentials

Malware posing as Dual Instance app steals users’ Twitter credentials-5-技术控-themselves,download,recently,accounts,multiple

  During Dual Instance malware’s start, data.apk is first extracted and then loaded. From our analysis, we found that the malware brings in an open source solution from GitHub. Below is the code excerpt of the process of loading data.apk.
   

Malware posing as Dual Instance app steals users’ Twitter credentials

Malware posing as Dual Instance app steals users’ Twitter credentials-6-技术控-themselves,download,recently,accounts,multiple

   VirtualCore is a development framework that can be thought of as a tool from a high-level perspective. VirtualCore allows you to run an embedded “child” application that is part of superordinate “parent” application without installing it on the device. According to these important variables within VirtualCore, we have tracked the open source project, VirtualApp, which provides a solution to directly run an app without installing it. After comparing this malware’s relative logic with the source code of VirtualApp, we are sure that the malware takes advantage of VirtualApp to start the original Twitter. VirtualApp’s GitHub address is  https://github.com/asLody/VirtualApp  . Below is a part of its project’s description.
  “VirtualApp is an open platform for Android that allows you to create a Virtual Space, you can install and run apk inside. Beyond that, VirtualApp is also a Plugin Framework, the plugins running on VirtualApp does not require any constraints. VirtualApp does not require root, it is running on the local process.”
  What does Dual Instance malware aim to accomplish?

  After a deep analysis of the VirtualCore module of this malware, we have seen some modifications added into VirtualCore. A thread call is inserted into the initialization step:
   

Malware posing as Dual Instance app steals users’ Twitter credentials

Malware posing as Dual Instance app steals users’ Twitter credentials-7-技术控-themselves,download,recently,accounts,multiple

   When looking deeper into this thread, we have come across some more interesting findings. This malware’s real aim is stealing users’ Twitter account credentials . It hooks the getText function of the EditText class to hijack the user’s input.
  First, the malware gets the source method and target method through reflection.
   

Malware posing as Dual Instance app steals users’ Twitter credentials

Malware posing as Dual Instance app steals users’ Twitter credentials-8-技术控-themselves,download,recently,accounts,multiple

  Then, it does a hook.
   

Malware posing as Dual Instance app steals users’ Twitter credentials

Malware posing as Dual Instance app steals users’ Twitter credentials-9-技术控-themselves,download,recently,accounts,multiple

   Another interesting finding is that Dual Instance malware uses AndFix to handle the Java method hook. AndFix is another open source project hosted in GitHub, but its vision is to make the Android app support hot-fix. In this case, the hot-fix function mainly relies on the Java method hook. Dual Instance malware knows this theory well and carries it forward. It uses AndFix ’s hook module to hijack the EditText component of Twitter’s login window. Below is the code excerpt of the getText function after it’s been hooked.
   

Malware posing as Dual Instance app steals users’ Twitter credentials

Malware posing as Dual Instance app steals users’ Twitter credentials-10-技术控-themselves,download,recently,accounts,multiple

   As the getText function is called in many scenarios, the malware has only to make sure that the call connected to the account credential is paid attention to. Hence, it traverses the stack trace to check the up-down calls. It can then get the input about the user’s Twitter account.
  While Dual Instance malware successfully captures users’ login identity and password, it prints them out to Android logcat. This log output is used to feed the uploader. The uploader loops to monitor the log with a specific tag, which is ‘twittre’. Once it finds input, it parses the log content to get the identifier and password fields.
   

Malware posing as Dual Instance app steals users’ Twitter credentials

Malware posing as Dual Instance app steals users’ Twitter credentials-11-技术控-themselves,download,recently,accounts,multiple

  Below is a snapshot of the logcat output after we try to login with a non-existent account.
   

Malware posing as Dual Instance app steals users’ Twitter credentials

Malware posing as Dual Instance app steals users’ Twitter credentials-12-技术控-themselves,download,recently,accounts,multiple

  At last, Dual Instance malware uploads the credential information to a remote server.
   

Malware posing as Dual Instance app steals users’ Twitter credentials

Malware posing as Dual Instance app steals users’ Twitter credentials-13-技术控-themselves,download,recently,accounts,multiple

  Finally, Dual Instance malware’s goal has been achieved. However, we’re still forgetting one thing -- this malware’s main selling feature is its ability to login to Twitter in China without any special configurations. So how does this become possible? The answer is this: the malware sets up a local VPN service before the Twitter app launches on a user’s device.
   

Malware posing as Dual Instance app steals users’ Twitter credentials

Malware posing as Dual Instance app steals users’ Twitter credentials-14-技术控-themselves,download,recently,accounts,multiple

   Now, let’s recap this whole process. Put simply, Dual Instance malware behaves like a Twitter launcher. First, it drops Twitter’s installation package and starts Twitter through VirtualApp. During this time, it also sets up a VPN network. After Twitter has started, the modified VirtualCore module hooks the getText function of the EditText class to hijack a user’s input on Twitter login window. After the user’s login credentials have been captured, the malware uploads them onto a remote server.
   Stealing account information is common for malware. However, the manner through which Dual Instance malware induces and steals from users is brand new . Usually, if malware wants to hijack a popular app, there’re only a limited number of ways to do so -- decompile the app first, add malicious code into it, then compile it again. We call this pipeline ‘repackaging’. Along with the technique development of app protecting, the chance of repackaging a popular app becomes smaller and smaller. Thus, the malware brings in Dual Instance and ‘repackages’ the target app in Dual Instance sandbox.
  Beware of Dual Instance malware on app stores

  Dual Instance is a new thing, but it has already managed to gain considerable speed in the digital realm. Below is a screen shot from the Google Play Store. The apps displayed are examples of clean, legitimate Dual Instance applications, and some of them already have lots of fans.
   

Malware posing as Dual Instance app steals users’ Twitter credentials

Malware posing as Dual Instance app steals users’ Twitter credentials-15-技术控-themselves,download,recently,accounts,multiple

  Further research on Dual Instance malware will help to minimize its spread on app stores by malware authors. Users should always be careful to download apps from well-known app stores while always remembering to examine all apps that they download onto their mobile devices.
  Sha256 of the analyzed sample: b2d2568cb03fc3e01daca34071d160e9bf25218b9caea3367802b6d34b12087d



上一篇:9 Reasons DevOps Is a Dirty Word
下一篇:Passkey Idiom: More Useful Empty Classes
紅顔只爲君笑 发表于 2016-10-20 08:49:03
为何要放弃治疗?
回复 支持 反对

使用道具 举报

语柳 发表于 2016-10-21 15:02:24
幸好爱情不是一切,幸好一切都不是爱情。
回复 支持 反对

使用道具 举报

电商令狐冲 发表于 2016-10-22 03:52:25
不作死就不会死
回复 支持 反对

使用道具 举报

yongwoozzang 发表于 2016-10-27 10:52:02
長了皺紋的心很是无聊啊
回复 支持 反对

使用道具 举报

*滑动验证:
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

我要投稿

推荐阅读


回页顶回复上一篇下一篇回列表
手机版/CoLaBug.com ( 粤ICP备05003221号 | 文网文[2010]257号 )

© 2001-2017 Comsenz Inc. Design: Dean. DiscuzFans.

返回顶部 返回列表